__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
abi <abi/3.0>,
include <tunables/global>
# attach_disconnected is needed in all profiles defined here because this
# service runs with systemd's PrivateTmp=true
profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/user-tmp>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,
/etc/apt/** r,
/etc/machine-id r,
/etc/ubuntu-advantage/uaclient.conf r,
# GH: #3109
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/,lib/}os-release r,
/run/ubuntu-advantage/ rw,
/run/ubuntu-advantage/** rw,
/run/systemd/container/ r,
/run/systemd/container/** r,
/{,usr/}bin/apt mrix,
/{,usr/}bin/apt-cache mrix,
/{,usr/}bin/ischroot mrix,
/{,usr/}bin/python3.{1,}[0-9] mrix,
# LP: #2067319, #2123870
/{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}uname mrix,
/{,usr/}bin/cloud-id Cx -> cloud_id,
# LP: #2067319
/{,usr/}bin/ps Cx -> ps,
/{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
/{,usr/}bin/dpkg Cx -> dpkg,
/{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
/{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
/{,usr/}lib/apt/methods/http Cx -> apt_methods,
/{,usr/}lib/apt/methods/https Cx -> apt_methods,
/{,usr/}lib/apt/methods/store Cx -> apt_methods,
# when there is no status.json cached, esm-cache.service will invoke "snap status"
/{,usr/}bin/snap PUx,
/usr/share/dpkg/** r,
/usr/share/keyrings/* r,
/var/cache/apt/** rw,
/var/lib/apt/** r,
/var/lib/dpkg/** r,
/var/lib/ubuntu-advantage/** rwk,
/var/log/ubuntu-advantage.log rw,
@{PROC}/@{pid}/fd/ r,
@{PROC}/1/cgroup r,
@{PROC}/version_signature r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/osrelease r,
profile ps flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
capability sys_ptrace,
# GH: #3079
capability dac_read_search,
capability dac_override,
# GH: #3119
ptrace (read,trace),
# LP: #2067319
/{,usr/}bin/ps mrix,
/dev/tty r,
@{PROC}/ r,
@{PROC}/@{pid}/** r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/** r,
# GH: #3079
@{PROC}/tty/drivers r,
/sys/devices/system/node/ r,
/sys/devices/system/node/** r,
}
profile cloud_id flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/python>
ptrace read peer=unconfined,
/etc/cloud/** r,
/etc/apt/** r,
/etc/apport/** r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/cmdline r,
@{PROC}/1/environ r,
@{PROC}/1/cmdline r,
@{PROC}/@{pid}/status r,
/run/cloud-init/** r,
/{,usr/}bin/ r,
/{,usr/}bin/cloud-id r,
/{,usr/}bin/python3.{1,}[0-9] mrix,
# LP: #2067319, #2123870
/{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}uname mrix,
/usr/share/dpkg/** r,
# workarounds for
# https://gitlab.com/apparmor/apparmor/-/issues/346
# LP: #2067319
/{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
/{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
/var/lib/cloud/** r,
}
profile dpkg flags=(attach_disconnected) {
include <abstractions/base>
capability setgid,
/etc/dpkg/** r,
/{,usr/}bin/dpkg mr,
# LP: #2067810
/var/lib/dpkg/** r,
}
profile ubuntu_distro_info flags=(attach_disconnected) {
include <abstractions/base>
/{,usr/}bin/ubuntu-distro-info mr,
/usr/share/distro-info/** r,
}
profile apt_methods flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
signal receive set=int peer=ubuntu_pro_esm_cache,
/ r,
/etc/dpkg/** r,
/{,usr/}lib/apt/methods/gpgv mr,
/{,usr/}lib/apt/methods/http mr,
/{,usr/}lib/apt/methods/https mr,
/{,usr/}lib/apt/methods/store mr,
/usr/share/dpkg/** r,
# LP: #2067810
/var/lib/dpkg/** r,
/var/lib/ubuntu-advantage/apt-esm/** rwk,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/fd/ r,
}
profile apt_methods_gpgv flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
capability setgid,
capability setuid,
signal receive set=int peer=ubuntu_pro_esm_cache,
/ r,
/etc/dpkg/** r,
# there are just too many shell script tools that are called, like head,
# tail, cut, sed, etc
# LP: #2123870
/{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}* mrix,
/{,usr/}lib/apt/methods/gpgv mr,
/usr/share/dpkg/** r,
/usr/share/keyrings/* r,
/var/lib/ubuntu-advantage/apt-esm/** r,
@{PROC}/@{pid}/fd/ r,
# apt-config command needs these
# Note: observed only in xenial tests, but makes sense for all releases
/etc/apt/** r,
/var/lib/apt/** r,
# LP: #2067810
/var/lib/dpkg/** r,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/ubuntu_pro_esm_cache>
}
# these profiles were initially subprofiles of cloud-id, but:
# a) that crashes the kernel
# https://gitlab.com/apparmor/apparmor/-/issues/346
# b) <= bionic doesn't like the // or - chars in profile names
# https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac
profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
include <abstractions/base>
capability net_admin,
capability sys_ptrace,
ptrace read peer=unconfined,
unix bind addr=@*/bus/systemctl/{,system},
# LP: #2067319
/{,usr/}bin/systemctl mr,
/run/systemd/private rw,
/run/systemd/** r,
@{PROC}/cmdline r,
# GH: #3119
@{PROC}/1/* r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/osrelease r,
# GH: 3119
/sys/firmware/efi/efivars/** r,
}
profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
include <abstractions/base>
capability sys_ptrace,
ptrace read peer=unconfined,
/{,usr/}bin/systemd-detect-virt mr,
/run/systemd/** r,
/sys/devices/virtual/** r,
# GH: #3119
/sys/firmware/efi/efivars/** r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/1/cmdline r,
@{PROC}/sys/kernel/osrelease r,
}| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| abi | Folder | 0755 |
|
|
| abstractions | Folder | 0755 |
|
|
| disable | Folder | 0755 |
|
|
| force-complain | Folder | 0755 |
|
|
| local | Folder | 0755 |
|
|
| rsyslog.d | Folder | 0755 |
|
|
| tunables | Folder | 0755 |
|
|
| 1password | File | 354 B | 0644 |
|
| Discord | File | 352 B | 0644 |
|
| MongoDB_Compass | File | 386 B | 0644 |
|
| QtWebEngineProcess | File | 404 B | 0644 |
|
| balena-etcher | File | 374 B | 0644 |
|
| brave | File | 348 B | 0644 |
|
| buildah | File | 342 B | 0644 |
|
| busybox | File | 342 B | 0644 |
|
| cam | File | 330 B | 0644 |
|
| ch-checkns | File | 351 B | 0644 |
|
| ch-run | File | 339 B | 0644 |
|
| chrome | File | 349 B | 0644 |
|
| code | File | 349 B | 0644 |
|
| crun | File | 333 B | 0644 |
|
| devhelp | File | 342 B | 0644 |
|
| element-desktop | File | 368 B | 0644 |
|
| epiphany | File | 356 B | 0644 |
|
| evolution | File | 348 B | 0644 |
|
| firefox | File | 410 B | 0644 |
|
| flatpak | File | 342 B | 0644 |
|
| foliate | File | 342 B | 0644 |
|
| geary | File | 336 B | 0644 |
|
| github-desktop | File | 378 B | 0644 |
|
| goldendict | File | 353 B | 0644 |
|
| ipa_verify | File | 351 B | 0644 |
|
| kchmviewer | File | 353 B | 0644 |
|
| keybase | File | 346 B | 0644 |
|
| lc-compliance | File | 360 B | 0644 |
|
| libcamerify | File | 354 B | 0644 |
|
| linux-sandbox | File | 383 B | 0644 |
|
| loupe | File | 336 B | 0644 |
|
| lsb_release | File | 1.35 KB | 0644 |
|
| lxc-attach | File | 351 B | 0644 |
|
| lxc-create | File | 351 B | 0644 |
|
| lxc-destroy | File | 354 B | 0644 |
|
| lxc-execute | File | 354 B | 0644 |
|
| lxc-stop | File | 345 B | 0644 |
|
| lxc-unshare | File | 354 B | 0644 |
|
| lxc-usernsexec | File | 363 B | 0644 |
|
| mmdebstrap | File | 351 B | 0644 |
|
| msedge | File | 352 B | 0644 |
|
| nautilus | File | 346 B | 0644 |
|
| notepadqq | File | 402 B | 0644 |
|
| nvidia_modprobe | File | 1.18 KB | 0644 |
|
| obsidian | File | 350 B | 0644 |
|
| opam | File | 333 B | 0644 |
|
| opera | File | 355 B | 0644 |
|
| pageedit | File | 347 B | 0644 |
|
| plasmashell | File | 680 B | 0644 |
|
| podman | File | 339 B | 0644 |
|
| polypane | File | 350 B | 0644 |
|
| privacybrowser | File | 365 B | 0644 |
|
| qcam | File | 333 B | 0644 |
|
| qmapshack | File | 348 B | 0644 |
|
| qutebrowser | File | 354 B | 0644 |
|
| rootlesskit | File | 354 B | 0644 |
|
| rpm | File | 330 B | 0644 |
|
| rssguard | File | 347 B | 0644 |
|
| runc | File | 334 B | 0644 |
|
| sbuild | File | 339 B | 0644 |
|
| sbuild-abort | File | 357 B | 0644 |
|
| sbuild-adduser | File | 364 B | 0644 |
|
| sbuild-apt | File | 351 B | 0644 |
|
| sbuild-checkpackages | File | 381 B | 0644 |
|
| sbuild-clean | File | 357 B | 0644 |
|
| sbuild-createchroot | File | 378 B | 0644 |
|
| sbuild-destroychroot | File | 382 B | 0644 |
|
| sbuild-distupgrade | File | 375 B | 0644 |
|
| sbuild-hold | File | 354 B | 0644 |
|
| sbuild-shell | File | 365 B | 0644 |
|
| sbuild-unhold | File | 360 B | 0644 |
|
| sbuild-update | File | 360 B | 0644 |
|
| sbuild-upgrade | File | 363 B | 0644 |
|
| scide | File | 355 B | 0644 |
|
| signal-desktop | File | 366 B | 0644 |
|
| slack | File | 342 B | 0644 |
|
| slirp4netns | File | 354 B | 0644 |
|
| steam | File | 363 B | 0644 |
|
| stress-ng | File | 348 B | 0644 |
|
| surfshark | File | 354 B | 0644 |
|
| systemd-coredump | File | 377 B | 0644 |
|
| thunderbird | File | 354 B | 0644 |
|
| toybox | File | 335 B | 0644 |
|
| transmission | File | 2.34 KB | 0644 |
|
| trinity | File | 342 B | 0644 |
|
| tup | File | 330 B | 0644 |
|
| tuxedo-control-center | File | 400 B | 0644 |
|
| ubuntu_pro_apt_news | File | 2.02 KB | 0644 |
|
| ubuntu_pro_esm_cache | File | 6.93 KB | 0644 |
|
| unix-chkpwd | File | 881 B | 0644 |
|
| unprivileged_userns | File | 699 B | 0644 |
|
| userbindmount | File | 360 B | 0644 |
|
| usr.bin.man | File | 3.37 KB | 0644 |
|
| usr.bin.tcpdump | File | 1.65 KB | 0644 |
|
| usr.lib.snapd.snap-confine.real | File | 31.96 KB | 0644 |
|
| usr.sbin.mariadbd | File | 730 B | 0644 |
|
| usr.sbin.named | File | 2.59 KB | 0644 |
|
| usr.sbin.rsyslogd | File | 1.69 KB | 0644 |
|
| uwsgi-core | File | 351 B | 0644 |
|
| vdens | File | 336 B | 0644 |
|
| virtiofsd | File | 352 B | 0644 |
|
| vivaldi-bin | File | 358 B | 0644 |
|
| vpnns | File | 336 B | 0644 |
|
| wike | File | 333 B | 0644 |
|
| wpcom | File | 346 B | 0644 |
|